Network Security: Detailed info on Trouble with Reflection

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

Trouble with Reflection

from [V.Benjamin Livshits] Network Security

[Permanent Link]

Subject:	Trouble with Reflection
Date:	Fri, 12 Nov 2004 15:26:06 -0800

I've seen a large number of cases where components of an application
(such as individual servlets, beans, plugins, etc.) are loaded
reflectively. The names used for reflective invocation are ofen read
from confiration files and such.

It seems that if the intruder has access to that configuration file, but
not perhaps to the rest of the application, he should be able to
substitute malicious remote implementations for the classes to be
loaded. I guess, that's somewhat similar to loader hijacking attacks.

Are there inteersting situations or scenarios where application
configuration might fall under malicious user's control? By interesting
I mean something other than just storing these files in easily
accessible location. 

Have there been any attacks along these lines?

Thanks,
-Ben

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
RE: Sample JAVA application, Scott, Richard Re: Sample JAVA application, Chris Vanden Berghe Re: Sample JAVA application, Jeff Williams RE: Sample JAVA application, Tal Mozes RE: Sample JAVA application, Michael Silk Re: Sample JAVA application, Jean-Jacques Halans Re: Sample JAVA application, Chris Vanden Berghe Re: Sample JAVA application, Jeff Williams Trouble with Reflection, V.Benjamin Livshits <=

Previous by Date:	RE: New Whitepaper - "Second-order Code Injection Attacks", Mark Curphey
Next by Date:	Hidden Form Field Tool, nanoLox
Previous by Thread:	Re: Sample JAVA application, Jeff Williams
Next by Thread:	Looking for a Web Application Vulnerable to XSS Cookie Grab, CFW
Indexes:	[Date] [Thread] [Top] [All Lists]